Palo Alto – Monitoring GlobalProtect VPN User Logins

When monitoring GlobalProtect VPN user logins on a Palo Alto firewall, you can find the following details in the authentication logs:

Login Time: Look for “auth-success” log entries. The timestamp of this entry shows when the user successfully authenticated and logged into the GlobalProtect VPN.
Duration: Palo Alto does not explicitly log the duration of a GlobalProtect VPN session in the authentication logs. However, you can estimate the duration by looking at the difference between the “auth-success” (login) timestamp and the subsequent “auth-logout” (logout) timestamp for that user.
Logout Time: Look for “auth-logout” log entries for that user. The timestamp of this entry shows when the user logged out or their GlobalProtect VPN session terminated.

( eventid eq auth-success ) and ( description contains '{AD_USER_ID}' )

Alternatively, you can check the auth.log file on the firewall, which contains these “auth-success” and “auth-logout” entries with timestamps for GlobalProtect VPN user activity.

Palo Alto – Monitoring GlobalProtect VPN User Logins

Understanding and Configuring TLS Versions in a Windows Environment

2024 Security Megatrends: Navigating the Future of the Security Industry

Cisco’s AI Readiness Index Overview

Palo Alto – Choosing the right Software for your Palo Alto Devices